Hacker clones a politician’s fingerprint using normal, long-distance public photos

This site may earn affiliate commissions from the links on this page. Terms of use.

A member of the Chaos Computer Club — a European hacker association, perhaps a bit like the Cult of the Dead Cow in the US — has shown that it’s possible to reproduce someone’s fingerprint, and thus break into systems protected by biometric fingerprint scanners, using just a photo of someone’s finger. We’re not talking about some close-up macro photo, either: If you can snap a photo of a celebrity or politician waving their hand, that would probably be enough. In this case, the member of the CCC managed to get the fingerprint of Germany’s defense minister Ursula von der Leyen from a photo taken a press conference — which, if the German government uses biometric access control systems, could be a bit of a security breach.

The hacker, Jan “Starbug” Krissler, presented his findings at Chaos Communication Congress earlier today. Using a photo of von der Leyen’s thumb obtained from a press conference in October, plus some other photos of her thumb from different angles, he was able to rebuild her thumbprint using the commercially available VeriFinger software. He then used this thumbprint to create a real-world dummy — by printing it out on a mask, exposing the mask to create a negative of the print on a substrate, and then filling the negative with wood glue to create a positive fingerprint.

In testing, this technique can trick Apple’s TouchID sensor — and if von der Leyen happens to own an iPhone, and Starbug can get his hands on it, she could be in trouble. We can only hope that Germany’s military systems use more than just fingerprints for access control.

The full talk from the Chaos Communication Congress is below — it’s in German, but there’s also a PowerPoint presentation that’s easy to follow.

The photo of German defence minister Ursula von der Leyen’s thumb that Starbug used to reverse engineer her thumbprint

The problem is, fingerprints are not particularly reliable — they can produce false positives, false negatives, and multiple readings of the same print can give different results. Fingerprints (for biometrics and forensics) are better than nothing, but there is a reason that both the security and forensic communities are moving away from them towards more reliable and valid techniques. DNA sequencing is a far better option when it comes to forensic identification, and “living” biometrics such as vein matching and gait analysis are better options for access control.

The main advantage of “living” biometrics is that, as the name implies, they don’t work if the person isn’t alive: Vein matching, which maps the flow of hemoglobin through blood vessels (usually in your finger), doesn’t work if your heart is no longer pumping — so you can’t use a photo of someone’s finger to fool the system (and nor can a criminal chop someone’s finger off). Some cash machines (ATMs) in Japan and Poland are already using vein analysis for authentication. Gait analysis, which is quite literally how someone walks around (step length, width, rotation of your joints), might sound a bit dumb — but it’s surprisingly accurate, and obviously very hard for someone to imitate or steal.

Finally, a security advisory: If you are currently using your fingerprint to secure important data, you may want to start wearing gloves in public.